[Freeipa-devel] [PATCHES] 0594-0606 Convert default permissions to managed
Martin Kosek
mkosek at redhat.com
Mon Jun 23 15:51:16 UTC 2014
On 06/23/2014 02:59 PM, Petr Viktorin wrote:
> On 06/23/2014 10:07 AM, Martin Kosek wrote:
>> On 06/20/2014 11:17 PM, Martin Kosek wrote:
>>> On 06/20/2014 05:06 PM, Petr Viktorin wrote:
>>>> All these should be independent, except for conflicts in ACI.txt that are
>>>> easily solved by running makeaci.
>>>
>>> Umh, now the fun begins as I see :) There will probably need to be some rebase,
>>> it clashed with some other ACI patches in my tree (namely Hosts which I acked).
>
> Rebased on top of my patch 0607, please apply that first.
>
> Added a new patch, 0608, which adds missing write permissions.
>
>
>>> 594: we miss permissions for Automount Locations. Permissions for keys&maps
>>> look ok.
>
> Added in 0608.
>
>>>
>>> 595: "System: Modify Group Membership" is probably waiting for the group
>>> objectclass fix - the filter is different. Otherwise it looks ok.
>
> Right; rebased.
>
>>> 596-598: HBAC is ok
>>>
>>> 599: hostgroup is OK
>>>
>>> 600: there must have been some DS problem on my side as my regular user could
>>> not see any netgroup
>
> The problem is a bit closer to home this time.
> Fixed in patch 0607.
>
>>> 601: privileges - we miss CRUD ACIs
>
> Added in 0608.
>
> We also miss CRUD permissions on permissions, but since currently these need
> pretty much unlimited access to ACIs, it's better to keep them admin-only.
>
>>> 602: roles were ok
>>>
>>> 603: ok
>>>
>>> I got this far today, the rest will need to wait for the next week.
>>
>> 604: ok, I was able to create a service, get a keytab
>>
>> 605: Should we case the permissions as "Sudo Command instead of "Sudo command"?
>
> Yes, fixed
>
>> 606: we also miss Modify Sudo Command permission so that people can modify
>> description. Otherwise ok.
>
> Added in 0608.
>
>
1) # ipa-server-install:
...
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure missing
required attribute "objectclass"
...
There is a problem in this pending update:
dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'
You apparently also need to make this permission also a member of "Modify Group
membership" privilege.
2) We may not need "System: Modify Automount Locations" as there is just the CN
and we do not support renames in automountlocation API. I am not insisting.
When these 2 issues are resolved, we can push.
Martin
More information about the Freeipa-devel
mailing list